Regulatory Policy Methodology 
Framework 


Information Commissioner’s Office 


Version 1.0 - 5 May 2021 
Page 1 


Information Commissioner’s Office 


Regulatory Policy Methodology 
Framework 


Executive Summary 

It is important that we have an approach to regulatory policy making that 
delivers evidence-based decisions that focus on achieving clearly stated 
regulatory outcomes. 


The framework describes what we mean by regulatory policy in the ICO, the 
context in which the ICO operates, and the different tools and resources we have 
available to support policy makers. It is non-prescriptive and is designed as a 
guide to good practice for you to apply flexibly. 


The framework contains 7 steps to good policy making. In reality, you may find 
yourself moving through the steps in any order, or working through them 
multiple times to develop and improve policy iteratively. You should use the 
framework as a flexible reference guide to help you to explain the reasons for 
your decisions, and demonstrate how these are supported with relevant and 
reliable evidence. The steps are: 


1. Identifying the issue; 

Research and analysis; 

Develop policy options; 
Consultation (formal and informal); 
Recommendation and decision; 
Implementation; 

Evaluation. 


ee ee ee 


For each step, we describe the questions you should be looking to answer, and 
where you can find help, support and sources of evidence. We’ve included 
guidance on how to assess the impact of your policies on people and the wider 
economy, and links to resources on the web that provide further information and 
good practice. We have also included a framework that articulates the harms to 
individuals and wider society that, as a regulator, we seek to prevent or 
mitigate. 


The framework is a starting point for wider work to develop and support policy 
professionals in the ICO. We will update it periodically, and feedback from those 
applying it to real-world issues will be a vital part of continuing to improve it. 


Version 1.0 - 5 May 2021 
Page 2 


Table of Contents 


Execútive SUMMA y sinuses tii a dint E E E tae tas 2 
Purpose of this DOCUMENT iad. ccnccnincaiscarseonismincenssenaeocusatadoregneacnmaimienieosanots 4 
WHO IS ENS FOF? arennau inniinn E aateniacacecmneantiestasmeinactcencceneecaucennecaes 4 
Regulatory Policy making at the [CO y ius sesuwecwecsven enewsveuswan suiresenevvwmensdonweenecenes 5 
What is Policy and Why do we Need it? ........cccccesccceeesececessseecesceeeensaueuenaaes 5 
The Context for Regulatory Policy Making at the ICO........ccccceceeeeeee eee en eens 5 
The Regulatory Policy-MakiNng PrOC€SS.......cccccceceee cece cess ee ee eens ee esaeeeenaaee enna 6 
Approaching Regulatory Policy Iteratively ..........cccccccceseseeesseeeeeseeeeeeseeenesaeeens 9 
The Scope of Regulatory Policy in ICO ......ccccccccceeeseceeenseeeeesseeeeeuceeuensaueresaaes 9 
TAG Process in DGC ail dasicsermssracicessewsimetieessamsiadvsnnsanersieiseneiseieerateeiariiewiace 11 
Step 1: Identifying the ISSUG civeicdccireicsecavesrdcnivesetctiweindvatergsisbivericnieieis 11 
Step 2: Research and AnalySiS.........ccccsccccecececessceeeesaeeeeeseeeteeaeeeteganeteeaags 17 
Step 3: Develop Regulatory Policy Options..........cccccssseeeesesecesseeeeesaneneeaens 22 
Step 4; COMSUIRAIOM siressa Sel kes E E tees E E eek 30 
Step 5: Recommendation and DECISION ........s.sssssrsssrssrrrrsrrrsnrrsnrrrrnrrsnrrsn 34 
Step 6: IMPIOMEntation............ccccceec ccc s eee esse eee eee nese sees seen nese aaeeeee ens 35 
Step- 7 Evalue .tstsccevsusneudutuaneniventierduanedeaeweussavauduyeeudesnesevdndetdeuivenss 37 
Othér CONSIGSIaLIONS scarsia weenie eres ee Seite ee a shes 38 
Making Regulatory Policy Quickly devissssencisaishaniiarsensianbsequiigesaavimasanaviancees 38 
Annex A: Summary of Devolved and UK-wide POIiCy ........:ccccceeeeeneeeeeaeeeeeaaes 39 
Annex B: Taxonomy Of HarmMS nvciuscseevcad vvweduatousedneduaeueadwnsinsdsawaunndueanwaaddy 40 


Version 1.0 - 5 May 2021 
Page 3 


Purpose of this Document 

This document is an important part of your toolkit for reaching better, evidenced, 
outcome-focused decisions. It describes the tools, techniques and processes we 
need to identify an issue and develop the evidence and analysis to underpin 
decision making. This approach underpins effective regulation and our fulfilment 
of our statutory role. It brings our approach to policy development and impact 
assessment (IA) together into one document, recognising that the process of 
assessing options and impacts is integral to developing policy and reaching robust 
decisions. 


It is designed to be a flexible and non-prescriptive tool and should be used 
proportionately. While it can be helpful in helping shape our thought processes and 
approach in day to day decisions, it is particularly important that the guidance is used 
in the more complex, novel or contentious issues: for instance the types of issues on 
which you would seek the views of the Policy Board. 


An evidence-based and outcome focused approach to policy making is an important 
tool for ICO to meet its regulatory obligations set out in the Deregulation Act 2015 


and the Regulators’ Code. 


The framework is distinct from the Regulatory Action Policy (RAP). The RAP sets 
out ICO’s various powers and provides clear and consistent guidance on how 
they will be used. 


Who is this for? 


The document is aimed at all ICO staff working on or in support of policy 
development, or for those interested in a career in policy. We will be working 
with the policy profession to ensure staff have the skills and training available to 
ensure they are able to put the framework into practice, and will be engaging 
with the policy profession to update and refine the framework as staff continue 
to use it. 


The principles in the framework apply to all kinds of policy making. However, the 
process set out in this document is most suited to larger, longer term policy 
projects. We recognise that ICO policy professionals sometimes also need to 
make policy decisions quickly, and future products will support colleagues to 
apply the principles in rapid, reactive policy work where a fast turnaround is 
needed. 


Version 1.0 - 5 May 2021 
Page 4 


Regulatory Policy making at the ICO 


What is Policy and Why do we Need it? 

Policy is key to making the ICO’s regulatory priorities a reality. Policy is built on 
understanding issues which require the ICO to develop a new approach, or 
change its existing approach. Policies can vary depending on circumstances, but 
will often entail either specifying a course of action, or outlining rules or 
principles to be applied. Policy should generally aim towards solutions that 
deliver a long term benefit that would not be achieved if the policy was not in 
place. ICO needs policy professionals who are skilled at: 


e Understanding and analysing evidence from different and sometimes 
contradictory sources; 

e Understanding the political, legal and regulatory contexts and the impact 
of public attitudes; 

e Understanding how things work and considering the practicalities of 
delivery from the beginning; 

e Articulating a vision for success and understanding how we will know if we 
have been successful. 


Policy needs to be underpinned by evidence. This can be from a range of internal 
and external sources, including subject matter experts, delivery partners and 
end-users. 


Policy is therefore distinct from, for example, work on a complex individual case 
that can be resolved by applying existing rules, principles or guidelines. 


The Context for Regulatory Policy Making at the ICO 
ICO policy making is conducted within the context of our relationship with the 
legislatures and governments of the UK. 


Role of parliament 


e The UK Parliament enacts laws that contain the legal obligations that ICO 
is responsible for enforcing, and through which the ICO derives its powers 
and duties. 

e ICO is accountable to the UK Parliament. 


Role of government 


e The Information Commissioner must be completely independent and free 
from external influence. The relationship between the ICO and 
government is set out in the Management Agreement (MA) between ICO 
and the Department for Digital, Culture, Media and Sports (DCMS) in 
consultation with the Commissioner; 

e The UK government (and the devolved administrations on certain matters 
- see annex A) sets public policy based on a democratic mandate; 

e The UK Government and the ICO can mutually agree new objectives or 
areas of work, as long as these do not undermine the ICO’s current 
powers or duties; 


Version 1.0 - 5 May 2021 
Page 5 


e The UK Government can propose changes to the regulator’s powers and 
duties through legislation, which must be passed by the UK Parliament; 

e ICO maintains relationships with the devolved administrations and has 
offices in Wales, Scotland and Northern Ireland. 


Role of the ICO 


e The ICO is responsible for independently applying regulation within the 
framework of legislation. Most notably this includes the Data Protection 
Act 2018 and the UK GDPR; 

e The ICO is also responsible for ensuring compliance with regulations that 
enable the public to access information held by public bodies. These 
include the Freedom of Information Act 2000 (FOI), the Environmental 
Information Regulations (EIR), the Re-use of Public Information 
Regulations (RPSI) and (in some limited cases) the INSPIRE regulations; 

e The ICO also has a duty to have regard to the desirability to promote 
economic growth, under section 108 of the Deregulation Act 2015; 

e Delivering against our responsibilities can include needing to decide how 
to balance trade-offs between competing priorities, how to interpret legal 
provisions and identifying the challenges and opportunities of emerging 
technologies and business models. Making these types of decision within 
our legislative remit is the essence of regulatory policy; 

e The independence of the regulator is important as governments are also 
subject to data protection regulation and the ICO must be able to 
discharge its duties fairly and without political interference. This is 
required in Article 52 of the UK GDPR; 

e ICO cannot itself legislate (or disregard legislation), but can make 
recommendations to governments (including the UK government and 
devolved administrations) if we think there is a good case for legislative 
change. The government’s ability or willingness to make such changes, 
and the timescales involved will, in such cases, determine some of the 
constraints on ICO’s policy making. 


If ICO is to effectively exercise its independence, it must be able to make 
evidence-based policy decisions within the legislative framework determined by 
the government. This includes decisions about the advice and guidance we 
provide to governments and organisations; how we respond to complaints raised 
by individuals or civil society groups; and how we understand and analyse the 
data protection, information rights and/or FOI implications of new and emerging 
issues, for instance in the context of new data processing practices or data- 
enabled business models. 


The Regulatory Policy-Making Process 

Policy making benefits greatly from a structured approach to identify problems, 
develop options, make decisions and review and evaluate the impact. We have 
set out a seven stage framework for policy making at the ICO. It is important to 
note that the process is rarely linear, and many of the stages will overlap and be 


Version 1.0 - 5 May 2021 
Page 6 


revisited as the process progresses The important thing is to be able to show the 
rationale behind decisions that ICO makes by answering the following questions: 


1 


Identifying the issue. What is the problem we are trying to solve or the 
opportunity we are trying to influence? What do we know about how this 
is manifesting now and how it is likely to change in the future? What is the 
regulatory outcome that we want to achieve? What might be the impacts 
of the solution or intervention? 

Research and Analysis. What does the evidence and analysis say about 
our understanding of the problem or opportunity? Is there evidence of 
harm now or in the future, and which groups or organisations are most 
impacted? What does the wider context tell us about the sensitivity of the 
issue or how effective our policy-making will be? What can we learn from 
previous policy-making and evaluation evidence? 

Developing policy options. What are the different approaches we could 
take to the problem? What policy tools do we have available to us and 
what impact will these have? Are we sure that our options are compliant 
with our legal and regulatory framework? To what extent does each option 
achieve the desired outcomes and objectives? What does success look 
like? 

Consulting. Have we consulted effectively with stakeholders, including 
ICO colleagues, government, other regulators (including those in other 
countries for international matters) businesses, civil society and the 
public? Do they agree with our analysis of the problem? Do they have 
conflicting or confirming evidence? What are their views on our proposed 
policy options? What are their views on the likely impacts? 

Making a decision. Have we effectively presented the options, taking 
into account evidence and feedback? Where should the decision be signed 
off? What do we know about the likely impacts? 

Implementation. What is our implementation plan? Are we confident we 
have the resources to implement this effectively? What is our timeline? 
Evaluation. What is the process for reviewing and measuring 
effectiveness? Do we need to revise our approach? Do we have any 
recommendations or learning points for future policy-making? 


Annex A provides a high-level summary of which areas of government policy 
apply UK-wide and which ones are devolved. 


We have illustrated the process in the diagram below. This is, of course, an 
idealised representation as noted above, and you should view the following 
chapters as a set of tools that can be applied to different situations, rather than 
a sequence to be followed rigidly. The rest of this document describes each 
stage of the framework in more detail. 


Version 1.0 - 5 May 2021 
Page 7 


Identifying 
the issue 


Assessing 
the 
evidence 


Developing 
Policy 
Options 


Making a 
decision 


Things to remember: 


Policy making is an iterative process. It is best done collaboratively. We 
should constantly review and re-evaluate our policy interventions to make sure 
they are achieving what they set out to, and ensure we are seeking input both 
internally and externally. While the framework is a useful guide to the process it 
will not always be so linear and you may need to respond flexibly to new 
evidence or to changing organisational or stakeholder priorities. You may also 
need to repeat the seven steps, or parts of them, as your evidence and 
understanding of a regulatory problem grows. 


The guidance should be used proportionately: the level of analysis and 
evidence you need to support a decision should depend on the severity, urgency 
or consequences arising from our decision. 


Use the framework flexibly: you may find some stages of the 7 step process 
may be less relevant to an issue than others. Take what is useful from the 
framework. The key point is that you should cover the substance of the seven 
steps: this framework is useful if it helps you to explain the reasons for your 
decisions and demonstrate how this is supported with relevant and reliable 
evidence. 


Support: There are links throughout the document to additional background 
information from ICO and elsewhere, and to the ICON pages for teams that you 
can approach for help on aspects of the policy framework, or on particular 


Version 1.0 - 5 May 2021 
Page 8 


topics. The Regulatory Futures Directorate are co-ordinating work to develop the 
policy profession. 


Approaching Regulatory Policy Iteratively 

As noted above, policy making in the real world very rarely feels like a neat, 
linear process. This is particularly the case if you are working in a dynamic 
environment in which the political, economic, social or technological context is 
changing rapidly. You may also find yourself under time pressure or faced with a 
problem that requires innovative thinking to solve. 


We can apply good practice from the world of design and software development 
to help with all of these challenges, and to ensure that we implement our 
policies and associated services in ways that work for the people that are 
affected by them. User research offers techniques to ensure that our policies are 
centred on people’s real world needs, and prototyping can speed up and improve 
decision making, implementation and evaluation. In effect, these techniques 
involve moving through the policy process many times in rapid succession, 
maintaining focus on the needs of those most affected by the policy, and 
allowing you to rapidly adapt to changing circumstances. The Cabinet Office 
Open Policy Making toolkit provides guidance on how to use these techniques, 
and is helpful additional guidance if you are making policy in these 
circumstances. We have included references to relevant parts of the toolkit 
throughout. 


You may also find the OECD Observatory of Public Sector Innovation helpful. It is 
designed to support policy makers tackling policy problems that are complex and 
interconnected and includes a wide range of international examples that focus on 
the ways that regulators can be innovative and help to enable innovation. 


The Scope of Regulatory Policy in ICO 

Policy can mean different things to different organisations. ICO exists in a 
different strategic, political and legal context to a government department, so 
the definition and scope of policy within ICO will be different. However, many of 
the tools, techniques and approaches to policy making are transferable between 
different contexts. 


In ICO, policy covers a variety of activities, ranging from the reactive: deciding 
what our position is on a new technology or a novel use of personal data, to the 
proactive: anticipating future information rights challenges and setting out 
recommendations and expectations. It includes managing our key relationships, 
such as those with government, industry or with data protection authorities in 
other countries. 


Good policy-making relies on effective collaboration. For example, legal services 
can provide in-depth interpretation of the law to help establish constraints and 
opportunities offered by current legislation, or an assessment of legal risk 
attached to a particular policy option. Making good policy includes the ability to 


Version 1.0 - 5 May 2021 
Page 9 


ask an expert the right question, and to incorporate the expert view in the 
context of the bigger picture. 


Collaboration often extends outside ICO, and we increasingly find ourselves 
working alongside sector-specific regulators such as OFCOM or the Financial 
Conduct Authority where a policy has implications that cross legislative 
boundaries. We may also partner with other organisations, including industry 
bodies, for example to develop and deliver a standard. 


To do this effectively, ICO must make decisions that strike the right balance 
between a number of factors that may be in tension. This will sometimes mean 
balancing the rights of individual citizens or communities with the wider 
economic and societal benefits of data processing. 


Examples of recent policy activities in ICO include: 


e Development and impact assessment of the statutory Children’s Code for 
online services used by children, and the Data Sharing Code; 

e Developing a framework for assessing the likelihood and severity of data 
protection harms; 

e The “Outsourcing Oversight” report, which made recommendations to 
extend the reach of FOI and ensure support for information rights in the 
modern world. 


All of these examples required consultation with internal and external 
stakeholders and subject matter experts, and an assessment of a large and 
complex body of evidence across multiple sources. 


Version 1.0 - 5 May 2021 
Page 10 


The Process in Detail 


Step 1: Identifying the Issue 

The ICO identifies Data Protection and Information Rights problems on both a 
proactive and reactive basis. We use various sources of information to identify 
issues that we think require us to take action. The purpose of this first step is to 
describe what we think the issue is, what we already know about it and where 
there are gaps in our knowledge or evidence. 


\ 


The Open Policy Making Toolkit section on “Diagnosis” contains a number of 
techniques that will help you gather the right information. 


You will need to stay in touch with developments on issues you are working on 
as a policy professional. ICO has access to media aggregators such as Mlex and 
Dods, and other subject-specific subscription resources. For advice, you can 
contact: 


e The Knowledge Service for access to journals and subscriptions; 
e The Communications team to be added to media monitoring distribution 
lists 


Sources include: 


e Information we hold internally that comes from our regulatory activity. 
This includes FOI/DP casework, FOI appeals, personal reports of data 
breaches, helpline queries, regulatory audits, investigations and other 
activity; 

e Evaluation Evidence - Evidence from evaluation and impact assessment of 
relevant past policy making, both internally and externally; 

e Intelligence - ICO’s intelligence gathering and analysis may identify 
threats or risks that require a wider policy response; 

e Research using external information sources, including Horizon Scanning 
used to identify emerging issues that may require a response from ICO in 
the future; 

e ICO regions - substantial elements of public policy are devolved to Wales, 
Scotland and Northern Ireland. Our policies must always take account of 
the impact on devolved administrations, and at the same time, region- 
specific issues may arise that need a policy response; 

e Our stakeholders - civil society organisations will raise issues with us. We 
also engage proactively with government, industry and academic 
researchers. 


There are a number of teams within ICO that can help you to identify or better 
understand issues arising from both ICO activity and stakeholder concerns. You 
can find links to relevant information on ICON in the “Useful Links” supplement 
to this document: 


e The Insight team explores issues and themes which impact on information 
rights. The team produces thematic reports containing recommendations 


Version 1.0 - 5 May 2021 
Page 11 


based on analysis of data from a variety of external and internal data 
sources; 

e The FOI Policy and FOI Complaints teams can help to identify trends and 
issues relating to the exercise of FOI rights and how public bodies respond 
to requests; 

e The Knowledge Service can help with any questions about the application 
and interpretation of existing policy positions to specific 
cases/concerns/enquiries. They also manage access to journals, standards 
and other sources of information to support policy development. 

e The Intelligence team identifies current or emerging risks to inform ICO’s 
overall strategy and produces and manages the Strategic Threat 
Assessment; 

e The High Priority Investigations team focuses on particularly novel or 
intrusive issues that present the biggest risk to the public; 

e The ICO Regions teams manage relationships with the devolved 
administrations and provides advice on regional implications of policy 
options; 

e The Relationship Management Service coordinates engagement with 
organisations presenting the highest data protection risk, and also 
engages with influential ‘umbrella’ organisations which can extend and 
amplify the ICO’s reach into key sectors; 

e The Digital Economy Team manages our relations with large technology 
companies ; 

e The Parliament and Government Affairs team manage our relationship 
with the UK administration (including ministers, departments and wider 
government); 

e The Economic Analysis team offers support with impact assessment, 
evaluation and understanding harms; 

e The Technology and Innovation (T&I) team provides support with 
understanding the impact of new and emerging technology on data 
protection and information rights. 

e The International Team monitors overseas developments in the ICO’s 
regulatory priorities and coordinates our international engagement to 
promote our policy views. 


Scoping the Issue 

The first step is to identify the scope of the issue, and to understand whether or 
not it requires a policy response. You should think about the material impact of 
the issue, scale, timescales, demographic impact, vulnerability of affected 
groups and geography (particularly if your issue involves a devolved matter such 
as public health). 


This will require some initial research and potentially some early consultation 
with stakeholders, for example undertaking User Research to get an early and 
rapid indication of how people are affected by the issue (this should be 
proportionate to the issue and is not always required). Working through the 
following questions will help you to summarise what you already know and 
where there are gaps in your evidence: 


Version 1.0 - 5 May 2021 
Page 12 


e First and foremost - what data protection or information rights harms is 
the issue associated with? ICO’s approach to understanding harm is 
explained in the taxonomy of harms guidance (see below), but at a 
broader level it is important to consider whether there is : 

o A significant amount of complaints or queries regarding an issue 
that is causing, or has the potential to cause, harm 

o A small number of complaints or queries that indicates a more 
systemic issue that is or could be causing harm 

o An emerging issue or technological development identified by 
horizon scanning that might present data protection or information 
rights concerns; 

o Intelligence about an issue that is not leading to complaints or 
queries, but has the potential to in future (i.e. an emerging issue 
overseas, or a domestic issue that is invisible to data subjects 
and/or controllers) 

(Note: if none of the above apply - it may not be proportionate to 
progress a policy development process at this time); 

e Can the issue be resolved by an existing policy tool (e.g. the application or 
minor clarification of current guidance, or exercising existing powers)? If 
so, it probably does not require a policy response; 

e What is the cause of the issue? What sustains it? 

e Who is affected? Are any groups of people affected disproportionately? 

e What services or markets are affected? How wide ranging are the 
impacts? 

e What other consequences does the issue have? What is the impact 
beyond data protection? Are there wider societal harms, or issues of 
fairness and ethics to consider? 

e Is ICO best placed to take action on the issue? Do we have the relevant 
tools, expertise and legitimacy to influence the outcome? Do we need to 
work with other regulators, public authorities, professional, trade or 
representative bodies? 

e Is there a defined process or procedure through which ICO can act? 

e Is the issue time-sensitive? 

e If the issue is technology-driven, do the consequences arise from a novel 
use or combination of existing technology, or is the technology itself new? 


Defining Regulatory Outcomes 

Once you have considered the above questions, you should think about 
regulatory outcomes: what is ICO ultimately aiming to achieve by acting ona 
particular issue? Has the commissioner or ET already expressed a view? You 
should ensure that outcomes align with: 


e ICO’s Regulatory Priorities; 
e The Regulatory Action Policy — this is currently under review. 


Alignment with wider policy 
Although not necessarily a deciding factor, the wider policy context should be 
considered. Is there any relevant government policy that aligns with or clashes 


Version 1.0 - 5 May 2021 
Page 13 


with the proposed intervention? Are there any relevant considerations to be 
made of other regulators or legislation outside of the ICO’s remit? 


Version 1.0 - 5 May 2021 
Page 14 


Useful Tools and Guidance 
ICO Taxonomy of Harms 


Prevention or mitigation of harm is a fundamental purpose for a regulatory body. 
Harm, from ICO’s perspective, can refer to detriment suffered by individuals, or 
to societal harms with collective consequences. Harms can also result when 
individuals or groups are prevented or impeded from asserting their information 
rights (e.g. a lack of transparency around how data is processed or inability to 
hold a public body to account). It can be difficult to quantify data protection and 
information rights harms. ICO has therefore adopted a non-exhaustive 
taxonomy that provides illustrative examples of the full range of harms (see 
Annex B). More detail on how to take harms into consideration is provided in the 
next section on Stage 2. 


PESTLE Analysis 


A helpful way to break down complex issues is to look at their impact on a 
number of important domains, called PESTLE Analysis. The domains are: 


° Political 

° Economic 

° Social 

° Technological 
® Legal 

° Environmental 


The Foresight team within Regulatory Futures and Technology and Innovation 
can provide advice and support for PESTLE analysis. You can find more 
information and some useful templates on the CIPD PESTLE Analysis page. The 
ICO Regions team can often provide additional insights into Political, Social and 
Legal matters in particular. 


Policy Board Decision — Issue Note 

The issue identification process may be the first part in a wider project or piece 
of work. However, in some cases you may be unsure whether the issue you have 
identified requires further analysis. In these circumstances you could choose to 
bring an issue note to the Policy Board, setting out our current understanding of 
a policy issue. It should describe what we already know, where the potential 
risks lie, whether there are competing interests that we need to reconcile, and 
any views on the likely time horizons for the issue. The role of this paper is to: 


e Test with Policy Board whether the articulation of the issue and associated 
risks and trade-offs is accurate; 

e Get Policy Board’s view on whether further development of this issue is 
required to allow you to prioritise and allocate resource appropriately. 


Version 1.0 - 5 May 2021 
Page 15 


Where further development is not required, the paper should be finalised, 
incorporating any feedback from Policy Board, and circulated to SLT and the 
policy profession for further cascade where appropriate. 


Version 1.0 - 5 May 2021 
Page 16 


Step 2: Research and Analysis 

Once we have decided that an issue requires a policy response, the next stage is 
to understand it in more depth and to gather and analyse the evidence that ICO 
needs to decide the best course of action. Our focus at this stage is to fill in the 
evidence gaps we have identified, and build the evidence to underpin our 
understanding. Specifically, we need to understand in more depth: 


e What harm is resulting, or might result from the issue. This involves 
building the evidence base regarding: 
o Who is affected and how does it manifest? 
o What is the scale of the harm? 
o How can the harm be measured and assessed? ; 
o What is it about the issue that causes harm? What are the effects 
and consequences of harm? 

e What causes the issue, and what are the drivers that sustain, amplify or 
mitigate it? Is the issue a new problem we must solve, or have we 
identified an opportunity to make improvements? 

e What is the context in which the issue takes place? Are the affected 
groups particularly affected by the issue or the proposed intervention? Do 
they have strong views about them? 

e Which causes and drivers are relatively the most important? 

e Which stakeholders are most affected by the issue, and what are their 
views? 

e What level of public awareness and understanding is there about the 
issue, and do different groups have different views? Is the issue likely to 
receive public and media interest? 


The Open Policy Making Toolkit includes a wide range of techniques that can help 
you frame your research questions. 


Planning Research and Analysis 

You should consult with your Group Manager, Head of Department and/or 
Director to agree how research and analysis will be delivered. Timing will depend 
on the complexity of the issue, and any deadlines or other time-critical aspects 
associated with it. 


Make sure that you allow as much time as you can to identify and consult with 
stakeholders and experts. 


Analysing Harm In Detail 

You already considered what harm is associated with your policy issue as part of 
Step 1. When thinking about harm in more detail, there are a number of key 
dimensions to consider: 


e Likelihood and Severity: harms can be measured by combining the 
likelihood that they will have an impact on either a general population, or 
on specific groups within it, and severity - the breadth and depth of the 
likely impact; 


Version 1.0 - 5 May 2021 
Page 17 


e Breadth and Depth: severity can be further understood by considering 
breadth (how many people do they affect?) and depth (how serious is the 
impact?) 


Harms can be diffuse: an issue that affects many people may have only a small 
effect on individuals, but a large, cumulative effect on society. The impact of 
harm may not be felt equally: the brunt of a particular harm may be borne by 
particular groups or communities. 


We may be reacting to harm that has already occurred, or acting pre-emptively 
and proactively to prevent or avoid harm that we believe is at risk of occurring. 


Your aim should be to gather evidence to answer the following questions: 


e What type of harm does the issue cause? 

e Has harm already occurred? If not, what evidence do you have that there 
is a risk of harm? 

e Who is affected? 

e Does everyone affected suffer the same type of harm? If not, why? 

e Are some stakeholders better able to mitigate or avoid the harm than 
others? 

e Does different stakeholders’ perception of harm affect their behaviour (for 
example are some stakeholders more or less willing to use a service)? 

e Are there different views about the appropriate balance between 
mitigating harm and any trade offs that may require? 

e How can the harm best be measured or expressed? 

e Are any other organisations planning or taking action to prevent, mitigate 
or avoid the harm? 

e What assumptions have you made? How are your assumptions justified? 


Analysing Benefits 

Some issues and policy interventions may focus on opportunities to achieve 
benefits, as well as or instead of preventing and avoiding harms. A similar 
approach should be taken as with harm and the same questions should be asked 
in gathering evidence on benefits. 


What are the causes and drivers of the issue you have identified? 

Causes and drivers are the factors that create or sustain the issue you have 
identified. Most issues will have more than one factor behind them and each 
factor will have a different degree of influence on the issue. Understanding this is 
critical to understanding what our options are for taking action. 


Mapping techniques can be helpful in visualising how the factors that influence 
an issue interact with both the issue itself, and with each other. Systems 
Mapping is one such approach used in government (see an example here of how 
it can help to visualise complex problems). Regulatory Futures can explain more 
about how you might apply this. Systems mapping may be scaled up or down in 
complexity to match the issue. 


When considering causes and drivers, you should ask yourself: 


Version 1.0 - 5 May 2021 
Page 18 


e What factors are causing or sustaining the issue? 

e Are the issue and its causes new, or have they been in place for some 
time? 

e Of the causes you have identified, which are the most important? 

e How do the issue and its causes affect our stakeholders, including data 
subjects and the wider public? 

e Does ICO have the ability to take action on any or all of the causes, or are 
they outside our remit? 

e What sectors of the economy does the issue impact the most? 

e Could we address the issue more effectively by taking joint action with 
other regulators - for example, does it affect a particular industry sector? 

e How do Data Protection Authorities in other countries approach the issue? 
Can we learn from them? Has the issue been discussed by international 
bodies of which ICO is a member, such as the Global Privacy Assembly? 


Open Source Research 

Much of the research that ICO carries out uses open sources, that is, sources 
of information and evidence that are publicly available, including social media 
activity by individuals or groups. It is very important that open source research 
is carried out in accordance with ICO’s Open Source Research Procedure. Failure 
to observe the legislative and good practice requirements for research may 
prejudice the outcome of investigations or other casework. 


This is particularly important when the issue that you are examining is pertinent 
to ongoing investigations or casework. The Open Source Research Procedure 
must be used in conjunction with this document and the procedure must be 
followed for any open source research conducted. 


Evidence gathered through research provides the basis to decide our policy 
position on a particular issue, and to develop options for taking action. 


Desk-based Research 
This should include a review of existing resources such as: 


e Our existing research and knowledge - the Knowledge Service can help 
with this; 

e Advice from legal services, in particular to ensure that we understand how 
the existing legal framework and our powers and remit apply to a given 
issue; 

e Thematic reports from the Insight team; 

e Intelligence - you can contact your directorate’s Intelligence Champion for 
support, or make a research request if you need intelligence from multiple 
sources; 

e Evaluation Evidence - evidence from evaluations and impact assessments 
of relevant past policy making, both internally and externally; 

e Reporting from operations (such as Kepler and Foresight in the case of 
COVID-19 related issues); 

e Consultation with ICO Regions to identify any region-specific aspects of 
the work. 


Version 1.0 - 5 May 2021 
Page 19 


You should also review external sources. The Knowledge Service has access to a 
variety of tools for media searches and access to academic and professional 
resources, and can advise on how to find and use them. 


e Mainstream and specialist media reporting (you can use search and 
aggregation tools that ICO has access to such as Mlex and Dods to help 
with this); 

e Grey literature including corporate reports and white papers, market 
research, research from civil society groups and think tanks; 

e Academic literature - via the Knowledge Service and services such as 
Google Scholar; 

e Any relevant court or tribunal cases (interpreting the wider implications of 
judgements may form part of your work with legal services). 


Media reporting and grey literature are likely to reflect the agenda of the people 
who produce it. Academic literature is often (though not always) rigorously peer- 
reviewed, and tends to be more objective. However you should never assume 
any source of information is free from bias. 


Commissioned research (optional) 
The ICO has a specific budget for research to be commissioned on larger, 
significant issues. 


Where the issue is widespread and significant, dedicated research to inform the 
development of our policies may be beneficial. The outcome of the research can 
then feed into possible solutions. It may also flag up other policy issues which 
then need to be assessed via this overall process. 


Commissioning external research needs careful planning, and it is important to 
be clear about what questions you want the research to answer. There are many 
different types of research, which fall into two broad categories: qualitative and 
quantitative. The type you choose will depend on the evidence and insights you 
need. 


Quantitative research focuses on numerical and statistical data, for example a 
large-scale survey. Key considerations are around your sample (the people or 
organisations that respond to the survey) — how large is it? Is it representative 
of people affected by the policy issue, or of the broader population? What 
questions will you ask? How will you analyse the data? How will you report the 
results? 


Qualitative research focuses on exploring or validating a hypothesis with a 
smaller sample. It is not about generating numerical data. Structured one-to- 
one stakeholder interviews or focus groups are types of qualitative research. 
Deliberative research is a type of qualitative research where groups of people 
are providing with more information about an issue through the research process 
to assess whether their opinions change as they learn more. Whilst small 
samples are not representative of the population at large, qualitative research 
allows you to explore issues in more depth and is useful either as a complement 


Version 1.0 - 5 May 2021 
Page 20 


to quantitative research or where understanding the nuance and complexities of 
public views is important. 


The Market Research Society (MRS) offers a variety of resources, including a 
guide to working with market researchers which summarises the different 
market research techniques. If you are commissioning your research, it will help 
to understand how to frame your research questions and work with suppliers. 


You will need to make sure that you follow procurement rules when you 
commission research, and consult with information governance to ensure that 
ICO maintains its own information rights compliance when carrying out research. 
It is always advisable to engage with the Procurement and Finance Team early 
on to ensure that you follow the correct procedure. 


You will also need to think about the data protection implications of collecting, 
using and potentially publishing the evidence gathered during research. Please 
contact Regulatory Futures for further advice and information on available 
budget and resources. 


Next Steps 

Once you have gathered evidence to demonstrate the problem that you are 
trying to solve, what causes and drives it and the harm that results (or might 
result), the next stage is to us that evidence to develop options for ICO to take 
action. You may also want to think about consultation - a call for views, or call 
for evidence could provide valuable additional insights and perspectives on your 
research findings. The following sections contain more detail on these steps. 


Version 1.0 - 5 May 2021 
Page 21 


Step 3: Develop Regulatory Policy Options 

The next stage is to develop a position on the issue, and our options for taking 
action. Our policy position on any given issue articulates what ICO thinks 
about the issue, why we think it needs to be addressed, and our desired 
objectives and end state. In effect it is a summary, based on evidence, of the 
steps we have undertaken so far. 


This should not be done in isolation. The Open Policy Making Toolkit offers a 
wide range of techniques for collaborating with stakeholders to generate ideas. 
You may also want to get some real-world evidence to help options analysis by 
using prototyping. 


Policy Options represent the range of potential actions that ICO can take to 
address the causes or drivers of the issue, or mitigate its harms in order to 
achieve our desired outcome. 


Options Analysis considers the costs, benefits, risks, advantages and 
disadvantages associated with each option as well as their contribution to the 
overall objectives. 


Developing a Regulatory Policy Position 
Answering the following questions will help you develop your policy position: 


e What are we trying to achieve by our intervention, and how will we know 
if we have been successful? Think early on about how you will review and 
evaluate the impact of our intervention (see the section on Review later) 
and be mindful that external stakeholders (such as government, data 
controllers and interest groups) will judge our policy options and 
interventions in the context of the harms we have evidenced; 

e Consider setting out a list of critical success factors upon which to assess 
each of the options (see paragraph 4.27 of HMT’s Greenbook Guidance) 

e How do our objectives address the causes and drivers of an issue, or the 
harms arising from it? 

e What legal or regulatory duties or obligations affect our choice of 
objectives? 

e How well do our objectives align with the Information Rights Strategic 
Plan? 

e How might ICO’s objectives be perceived by our key stakeholders, such as 
news media, UK government, devolved administrations, local government 
and consumer and industry groups amongst others, and how do we want 
to influence them? 

e Does the issue have international implications? For example, does it entail 
transfer of personal data between countries? 

e How might the different options be implemented? (e.g. What is realistic 
timeframe for implementation? Should there be a transition phase 
whereby compliance with the policy intervention is voluntary rather than 
mandatory? Should there be thresholds that determine who a policy 
intervention applies to?) 


Version 1.0 - 5 May 2021 
Page 22 


Policy Board Decision - Approach Paper 

At this point, and before moving to develop detailed policy options, you could 
consider submitting an Approach Paper to Policy Board. An approach paper 
builds on the Issue Note by setting out an intended approach to reach a 
proposed policy position. 

It also provides an opportunity to outline the evidence gathered during research 
and analysis, particularly around harm, in greater detail, set out how you intend 
to engage internal/external stakeholders and highlight the relationship to other 
relevant work. 


Version 1.0 - 5 May 2021 
Page 23 


Developing Options 

Policy options outline in detail the different ways that we can achieve the 
objectives set out in our policy position. You will need to create an initial shortlist 
of options, ruling out any that are obviously ineffective or disproportionate to the 
issue. Depending on the nature of the issue, options may contain a package of 
different actions, for example to address multiple harms associated with the 
issue. 


Once you have done this, you will need to give careful consideration to the 
impact of each plausible option, setting out: 


e Direct and indirect (behavioural)? costs and benefits to the ICO; 

e Direct and indirect costs and benefits to relevant controllers and data 
subjects; 

e Direct and indirect costs and benefits to wider society; 


To arrive at a view of each option, you should consider: 


e That the aim is to identify all impacts, on data subjects, data controllers, 
ICO, government (whether UK, regional or local), innovation etc; 


e The extent to which the option achieves ICO’s desired regulatory 
outcomes; 


e That this includes thinking about impacts on economic factors (e.g. 
competition, investment drivers, economic growth) and where our actions 
might conflict with the objectives of other regulators; 


e Distributional effects, particularly the impact on protected characteristics 
and vulnerable people; 


e How you deal with uncertainty (eg sensitivity testing, ranges). 


You should always evaluate maintaining the status quo as an option (this is 
sometimes called the “do nothing” option, though this is not an entirely accurate 
label). This will provide a baseline to evaluate your proposed interventions 
against. This helps to mitigate the risk that we will take actions that do more 
harm than good, or expend resources on actions that have only marginal 
benefits. Beyond this, you should also consider a do minimum/less (something 
between the preferred option and the status quo) and a do more (something 
that goes further than the preferred option) to help evidence that the preferred 
option has been pitched at the right level. 


It is useful to think through the theory of change for each of your policy options. 
A summary diagram from the Magenta Book on evaluation can be seen below. 
For more information see section 2.2.1 of the Magenta Book. 


1 Further discussion on direct and indirect impacts can be found in: Regulatory Policy Committee, RPC case histories — direct 
and indirect impacts (2019) 


Version 1.0 - 5 May 2021 
Page 24 


Contextual factors and external influencers 


4 { $ \ 


e The e What is e The early or * The long 


resources delivered or medium term results 
committed produced term results 

and 

activities 

undertaken 


Supporting activities to help bring about the changes (assumptions) required 


Whilst the options that you develop will be specific to the particular issue you are 
trying to address, the actions they encompass will tend to fall into the same 
broad categories, with similar considerations attached: 


Increase education and awareness of the issue amongst key stakeholders, 
for example through targeted communications and/or ICO guidance; 
Behavioural change by key stakeholders achieved through close 
engagement; 

Voluntary agreements such as codes of conduct developed by co- 
production with stakeholders; 

Change the way that ICO acts on the issue, for example through stricter 
or lighter touch enforcement of a particular regulation to achieve an 
outcome; 

Work with the appropriate government(s) where we have identified that 
placing one of our codes on a statutory footing, or a legislative change is 
the best way to achieve a particular outcome. 


Determining the best course of action requires proportionate risk and benefit 
assessment. More complex interventions need more input from subject matter 
experts to accurately assess options and a greater depth of analysis of 
supporting evidence. 


Questions you should ask yourself when developing options include: 


What can ICO do? And what could be done by regulated businesses, trade 
bodies or others without formal intervention from ICO? 
Could competition be used effectively to achieve our objectives? 


Version 1.0 - 5 May 2021 
Page 25 


e Could we achieve our objectives by doing less, or by recommending that 
regulations that do not deliver the intended outcomes could be repealed 
or amended? 

e What expert advice do we need to develop our options? 

e Can existing solutions be adopted or adapted to achieve our objectives? 

e How complex is it to implement each option? What are the barriers? Do 
we need to work in partnership to deliver it successfully? 

e What qualitative or quantitative measures can we use to evaluate the 
impact of an option? How will we know whether or not it is successful? 

e Has due regard been given to the equality impact of each option across all 
relevant Protected Characteristics? 

e What evidence is available or needed to value or estimate costs and 
benefits? 


Options Analysis and Impact Assessment 

Having developed a range of options to intervene on an issue, the next stage is 
to analyse and evaluate each option to enable ICO to make the best possible 
decision. 


You will not always have time to carry out an in-depth, quantified impact 
assessment. ICO is developing lessons learned, including good practice, from 
operations carried out during the COVID-19 pandemic (Operations Kepler and 
Foresight). These entailed rapid development of policy positions on emerging 
issues. 


HM Treasury's Green Book provides full guidance on impact assessment. The 
Logic Mapping approach developed by Department for Transport is a useful 
additional technique. 


The assessment of options should be quantified, including economic and financial 
costs and benefits (“monetise” the options in HM Treasury terminology)wherever 
it is proportionate to do so. This is often challenging for data protection and 
information rights because many of the costs, benefits and associated harms are 
intangible. Three principles can guide you in this judgement: 


e Policy context -what is the importance or sensitivity of the issues, is it 
novel or contentious? 

e Analytical considerations- what data is available now, what is the resource 
cost of gathering more evidence and what is the degree of uncertainty 
around expected impacts? 

e Practical considerations- how much time or resource is available to 
dedicate to the issue, what constraints or requirements does our 
regulatory or legal regime impose? 


Because many of the harms ICO seeks to address are intangible, the costs and 
benefits of potential interventions by us, and other regulators, can be difficult to 
quantify. We propose four broad levels of Impact Assessment, the use of which 
should be guided by the three principles listed above. When considering the 
most appropriate level, you should balance a need to provide robust analysis 


Version 1.0 - 5 May 2021 
Page 26 


with the resource and time available. It is important to note that impact 
assessments include multiple costs and benefits, and the appropriate level 
should be chosen for each impact meaning that most impact assessments will 
include a combination of levels. 


Level 1 - Describe impacts 

Focuses on who is affected, broad magnitude and the types of benefit or costs 
that may arise. This may be suitable in cases where relatively few stakeholders 
are affected, decisions are non contentious or at low risk of challenge. It is also 
suitable at the very early stages of policy development or where availability of 
data is very limited. 


Level 2 - Quantify impacts 

This provides an indicative scale or value to help describe the size or magnitude 
of likely impacts on affected stakeholders. This is more appropriate in the early 
stages of policy development where data to monetise costs or benefits is not 
easily available. 


Level 3 - Monetise impacts 

This is appropriate for more significant or novel interventions, or perhaps where 
some stakeholders are disproportionately affected, and where data is readily 
available or easily collected. This level of analysis is appropriate for some of the 
impacts in the statutory codes of practice, as was the case recently for the Age- 
Appropriate Design Code. 


Level 4 - Fully monetise impacts 

Appropriate where there are significant or very different impact on stakeholders, 
or the decision is contentious, novel or at high risk of challenge. The effort to 
collect additional evidence and undertake analysis is justified by the significance 
of the decision. 


Help with Economic Analysis 
An introductory training programme is in preparation but in the meantime please 
contact the Economic Analysis team with any queries. 


The Equality Duty, and People Impact Assessments 
The Public Sector Equality Duty obliges ICO to pay due regard to the three 
aims of the general equality duty to: 


e Eliminate unlawful discrimination , harassment and victimisation and other 
conduct prohibited by the Equality Act 2010 (EA 2010) and related 
Northern Ireland legislation; 

e Advance equality of opportunity between people who share a relevant 
protected characteristic and those who do not share it; 

e Foster good relations between people who share a relevant protected 
characteristic and those who do not share it. 


The nine protected characteristics in the EA 2010 are: age, disability, gender 
reassignment or gender identity, marriage and civil partnership, pregnancy and 
maternity, race and ethnicity, religion and belief, sex and sexual orientation. 


Version 1.0 - 5 May 2021 
Page 27 


As a body which carries out functions in Northern Ireland, the ICO is subject to 
s75 of the Northern Ireland Act 1998. This obliges public authorities, in carrying 
out their functions relating to Northern Ireland, to have regard to the desirability 
of promoting good relations between persons of different religious belief, political 
opinion or racial group. 


Personal data relating to some of the protected characteristics is considered to 
be Special Category Data. Such data may be an important part of your evidence 
and it is essential that you ensure that it is properly protected. If your issue 
involves genetic or biometric data, keep in mind that it whilst it is not a 
protected characteristic as such, it is classed as Special Category, and may 
potentially be used to infer data relating to protected characteristics. 


The Equality and Human Rights Commission has produced quidance on meeting 
the duty. To support options analysis, the key questions that you will want to 
focus on are: 


e Does the policy affect service users, employees or the wider community? 
The relevance of a policy to equality depends not just on the number of 
those affected but on the significance of the impact on them. 

e Is it likely to affect people with particular protected characteristics 
differently? 

e Is it proportionate to test how different service users interact with and are 
affected by a policy intervention e.g. users with protected characteristics? 

e Is it a major policy, significantly affecting how functions are delivered? 

e Will the policy have a significant impact on how other organisations 
operate in terms of equality? 

e Does the policy relate to functions that have been identified through 
engagement as being important to people with particular protected 
characteristics? 

e Does the policy relate to an area with known inequalities? 

e Does the policy relate to any equality objectives that have been set by 
ICO? 


As well as evaluating your policy options against these questions, you will also 
want to evaluate the impact on equality of allowing the harms to continue 
unchecked. 


ICO’s Equality, Diversity and Inclusion (EDI) board has developed a new guide 
and screening forms to help you undertake a People Impact Assessment (PIA), 
also Known as an Equality Impact Assessment (EQIA) - the terms are 
interchangeable. The PIA is a tool that helps us analyse policies and practices to 
make sure we do not discriminate or disadvantage our staff, customers, 
stakeholders, or members of the public. Carrying out a PIA involves 
systematically assessing the likely or actual effects our policies, activities and 
decisions have on people in respect to their protected characteristics. 


Version 1.0 - 5 May 2021 
Page 28 


What does Success Look Like? 

Before moving to consultation, you should make sure that you have a clear 
understanding of what success looks like (which aligns closely with the policy 
objectives), and what success doesn’t look like (or in other words, the 
foreseeable unintended consequences you would want to avoid). It is important 
to consider measurement and evaluation early on during the formulation of the 
policy position. This acts as a check and balance to make sure that we know why 
we are making the chosen intervention, as well as ensuring that we have a 
procedure in place to assess whether it meets its aims and objectives in the 
most effective way. You should not leave this until later in the process. 


For each option you should set out a vision for what success would look like, and 
consider what evidence you will need to demonstrate success. Further 
information can be found under Step 7: Review. 


Version 1.0 - 5 May 2021 
Page 29 


Step 4: Consultation 

Consultations involves engaging external stakeholders, which may be 
organisations or individuals, in our work to support transparency. In a policy 
context, consultation is critical to robust intervention, as it allows us to seek 
feedback on our understanding of a problem and whether our proposed 
approach or options are necessary or desirable. 


Given robust policy development relies on stakeholder consultation, it is 
important to have a clear plan as to how stakeholders (both internally and 
externally) will be consulted during the policy development process. A 
stakeholder engagement plan can be developed which spells out who is likely to 
be impacted by a policy (e.g data subjects and controllers), who will have a 
large influence over policy development (e.g. government) and who might be 
champions of, or opposed to, particular interventions. These factors should be 
shape the consultation activities (e.g. calls for evidence, workshops, bilateral 
meetings etc) that take place with relevant stakeholders during policy 
development. As set out in central government guidance on evaluation (see 
section 1.10 of the Magenta book) relevant stakeholders can include: 


e Those responsible for the intervention under consideration: these 
are the people who have most to gain from evidence that can reduce risk 
and uncertainty, and from learning what is working and what is not. 

e Those responsible for future policies: this group will require evidence 
on what worked (and/or did not), why and how, and on transferable 
lessons. 

e Those responsible for appraisal analysis: they will have the most 
insight into what evidence and data were missing from the appraisal of 
the intervention, and what will be useful for the appraisal of future 
policies. 

e Those responsible for scrutinising government decisions and 
spend: those that hold government to account are an eager audience for 
evidence around the efficacy of the intervention’s design and delivery, and 
its impact and cost. 

e Participants / recipients of the policy: those affected by the policy are 
typically also key participants in the evaluation. Their input is required, 
but they will also have evidence needs and a perspective on what 
elements of the policy should be focused on. 

e Those delivering the intervention: typically, although policies are often 
designed in central government, they are delivered by others, in many 
cases through a long delivery chain. Evaluation should be alive to the 
needs and issues of all those in the delivery chain. 

e The public (often via the media): a key line of accountability is to the 
public who are keen to know that government money is being spent 
wisely, and that we are learning from past experience. 

e Academics / other researchers: government is rarely the only 
interested party in a specific policy area. Academics and other researchers 
are often able to spend time scrutinising government data. It is important 


Version 1.0 - 5 May 2021 
Page 30 


to work with them to ensure the best use of the research evidence is 
being made and the maximum learning is being extracted. 


Corporate Communications can offer advice and support on consultations. There 
are some circumstances in which we are required by legislation to consult, such 
as the development of a statutory code. 


Formal consultation should be used once you have developed your analysis and 
evidence sufficiently to articulate the range of potential policy options. You may 
or may not have completed a full options analysis prior to consulting, and the 
right timing will depend on the issue you are addressing. You may, for example, 
want to put out a Call for Evidence or Call for Views as part of your research and 
evidence gathering to better understand how stakeholders view a particular 
issue. 


You will need to give careful consideration to the type and scope of consultation 
that you undertake, taking into account the issue that you are addressing and 
the stakeholders who will be most affected by the issue, and by ICO’s proposed 
intervention. 


You should bear in mind that consultation is unlikely to be the best vehicle for 
seeking views from the public. Getting representative views from members of 
the public is best done through commissioned research, as set out in step 2. 


We do not need to consult on every policy initiative - although it is necessary to 
do so if a policy intervention will or is likely to have a material impact on 
stakeholders. The table below indicates a range of situations where consultation 
is appropriate and good practice: 


Situation Example 
A significant change to our e Updated guidance on an 
interpretation of the law that will have existing issue 


practical consequences for data 
controllers, public authorities or citizens 


A statutory obligation to do so e Developing statutory ICO 
Codes of Practice 
Likely to be a significant effect on a e telecommunications; 


articular sector or activit 
particular r Or activity e keeping personnel files 


A need to find out about something we |e A call for evidence on a new 
don’t understand policy issue 


e Early engagement with 
service users to better 
understand their wants and 
needs 


Version 1.0 - 5 May 2021 
Page 31 


Situation Example 


Controversy or uncertainty over an ICO |e A disagreement over the 


approach to an issue content of guidance with a 
political element 
A need for engagement e organisations’ unwillingness 


to comply with the law; 


e misunderstanding of the law 
as explained in ICO guidance 


A significant effect on complaints e Publicising a change of 
handling/other ICO business position on a particular 
matter, or to advice that we 
provide to stakeholders 


It is important to pay due regard to the comments and evidence we receive as a 
result of consultation and we should be open to making changes as a result of 
the responses to a consultation. 


There are three broad types of consultation, described in more detail below: 


e Formal, public consultation; 
e Closed consultation; 
e Informal consultation. 


Formal Public Consultation 
This is appropriate: 


e where the ICO issues a significant piece of guidance and codes of practice; 
or 


e inthe case of statutory codes of practice. These are codes that relate to 
aspects of the Data Protection Act 2018. They are legally binding and 
require the approval of the Secretary of State. A recent example is the 
Children's Code. 


If you are recommending this type of consultation you will need to follow the 
ICO Consultations Policy available on ICON. 


Closed Consultation 

This is a more limited type of consultation. It could involve a small group of 
experts on a particular topic during the scoping or drafting process, or as part of 
the product sign off. 


In practice you would contact organisations that have shown a particular interest 
in a subject, have previously demonstrated a willingness to engage with or who 
will obviously be affected significantly by - say - a change to our guidance. We 
can ask experts we know to nominate other participants and then host an event 
for between 10 - 20 participants. 


Version 1.0 - 5 May 2021 
Page 32 


Informal Consultation 
This could take a number of different formats, for example: 


e Using the Relationship Management Service’s and Digital Economy Team’s 
current stakeholder relationships; 

e Using the Innovation Hub to support working with a cross-section of 
regulators, umbrella bodies/catapults and innovative businesses; 

e Using ICO Regions to help manage consultation with stakeholders in 
Scotland, Wales and Northern Ireland; 

e Engaging with other UK regulators; 

e Using the International team’s relationships with other data protection 
authorities, and groups such as the Global Privacy Assembly, to seek 
views on issues with a global interest; 

e Workshops, teleconferences, email dialogue with existing contacts; 

e internal discussions with other ICO colleagues - either as part of the initial 
scoping work or final sign off procedure. 


Consultation Techniques 
The Open Policy Making Toolkit offers a number of techniques to help ask the 
right questions and elicit the information that you need from your stakeholders. 


Techniques listed as part of the section on Understanding User Needs are 
particularly useful for discovering and diagnosing policy problems and 
challenges. 


Techniques listed as part of the section on Generating Ideas are particularly 
useful for translating user needs into potential policy positions or options. 


Using Information Gathered During Consultation 
The information that you gather during consultation should provide insights into: 


e The scale and materiality of harm the identified issue is causing; 

e How your stakeholders understand the issue you are addressing and the 
“real world” impact it is having; 

e Whether your stakeholders think that your proposed interventions or 
policy positions will be desirable and/or effective; 

e What your stakeholders think ICO should actually do; 

e The scale of impacts and potential unintended consequences for your 
proposed intervention or policy position 

e Other related issues or problems that are affecting them. 


The outputs from your consultation should be weighed against the other 
evidence that you have gathered, and should form part of your analysis of each 
policy option. 


You may discover other, related policy issues during consultation. 


You will need to carefully consider any data protection implications arising from 
your consultation process. 


Version 1.0 - 5 May 2021 
Page 33 


Step 5: Recommendation and Decision 


Making a Recommendation 

Before finalising your policy options, you should set out your options with a clear 
a clear recommendation of the preferred option, based on the evidence you have 
gathered and the consultation you have undertaken. 


You should provide a clear explanation why this option is your preference, and 
consider the practical steps necessary for implementing it, in particular: 


e Cost and resource implications for ICO and stakeholders; 

e Impacts on the ICO, key affected groups and wider society; 

e Whether new or updated guidance is needed; 

e Supporting communications and media campaigns; 

e Legal implications including interface with other regulators/regimes and 
any legal risks to ICO; 

e How you will evaluate the option if it is implemented; 

e Operational implications. 


Policy Board Decision - Position Paper 

For significant, strategic policy decisions the final decision-making step is 
normally to put a position paper to Policy Board. A position paper sets out our 
desired policy position in detail. It should include your options analysis, results of 
consultation and recommendation as outlined above. You should also provide an 
outline implementation plan The paper should state whether it applies to the 
whole of the UK, any one part of it, or a combination (e.g. England and Wales). 


Before submitting a position paper you should consider the following questions: 


e Who in ICO is best placed to lead on delivery of your preferred option? 

e What information and evidence is needed to present the case for 
intervention and what are the contentious or difficult issues? 

e Are you aware of any limitations to the accuracy or reliability of your 
evidence and analysis? 

e Is it useful to trial and test your proposals before committing to full 
implementation? 

e What media or external affairs advice do you need, have you consulted 
colleagues early to develop a suitable communications strategy? 

e As you developed your preferred options, have the right people 
(stakeholders and decision makers ) been engaged and consulted? 


The level of detail that you provide should be proportionate to the policy issue 
and sufficient for the board to make an informed decision. Board members will 
have limited time to read the paper so do ensure that you use Plain English and 
be clear up-front about the decision you want the board to make. Avoid going 
into a high level of technical detail unless it is critical to the decision. 


Version 1.0 - 5 May 2021 
Page 34 


Step 6: Implementation 

Implementation can take a variety of forms, and will often be phased or gradual. 
Implementation, Evaluation and Consultation may be concurrent to some extent, 
and evidence gathered during evaluation could cause us to redesign our policy or 
service, or even to go back and reconsider our options. 


Prototyping is a valuable approach if implementation is complex, as it allows us 
to rapidly iterate a solution and can help us to quickly identify and solve practical 
issues. If your implementation involves a transition period (for example a 
statutory code may have a transition period of up to a year), you may be able to 
use the time to gather additional evidence through the use of prototypes, and to 
identify and solve problems prior to full implementation. 


Communications 

A key consideration when implementing a policy decision is how to manage 
communications. The timing, purpose, content and style of communications will 
depend on the implementation approach considered and eventually adopted for 
your chosen option (as per step 3). Early engagement with Corporate 
Communications (for external comms) and the Knowledge Service (for internal 
comms) will help you identify your needs and plan accordingly. 


Policy announcements are opportunities for ICO to present a positive case for 
regulation and the benefits that it can generate for users, funders and society at 
large. Most decisions also involve complexities that may mean that certain 
groups of stakeholders feel that they are losing out, or that their particular 
interests are being paid less attention than others. You will need to consider the 
impact of communications on different stakeholder groups, and whether any 
further engagement with particular stakeholders might help. 


A variety of communications tools are available and you should use any or all of 
them as appropriate and proportionate to the policy issue. Some illustrative 
examples are listed below, and as noted above, you should always seek advice 
from Corporate Communications and the Knowledge Service: 


External Internal 

Press release ICON - front page message 
E-newsletters Knowabout sessions 

Blog entries 

Relationship Management and/or Knowledge Pack 


Digital Economy team and/or 
Regional Offices and/or 
International via stakeholder 


meetings 
Speaking engagements Managers briefing 
Webinars Briefing at team meetings/huddles 


Version 1.0 - 5 May 2021 
Page 35 


Twitter Including revised content in training 
materials 


Guidance 
Often, implementing a policy decision also means revising or updating some of 
our existing, externally-facing guidance, or creating new guidance. 


If you are going to produce new or updated guidance, you should first contact 
the Policy Guidance team. The team can offer advice and support on writing 
guidance, and manage the process for producing it, culminating in submitting a 
draft for approval to the Guidance Governance Board. Following the correct 
process is important for ensuring clear ownership of guidance so that it can be 
maintained, updated and retired as needed. 


The Policy Guidance team will shortly publish a “how-to” guide and this 
document will be updated to link to it when it is ready. 


Version 1.0 - 5 May 2021 
Page 36 


Step 7: Evaluation 

Once you begin implementing a policy, you will need to measure and evaluate 
the real-world impact it is having to make sure it is really meeting our 
objectives. You should plan your evaluation early. Think about what data and 
evidence you will need to collect, and make sure it is proportionate. Make sure 
that you have the capacity and capability to analyse data and evidence. 


Evaluation can be split into two strands: 


e Process evaluation: whether an intervention is being implemented as 
intended; whether the design is working; what is working more or less 
well and why. 

e Impact Evaluation: An objective test of what changes have occurred, the 
scale of those changes and an assessment of the extent to which they can 
be attributed to the intervention 


Both strands are important in providing lessons that can be incorporated into 
future policy development processes and includes seeking feedback from 
stakeholders. 


As an organisation that is alert, effective and always learning we need to be 
open to a) feedback regarding our policy interventions and the processes that 
underpin them, and b) working to improve the quality of our outputs. 


You will want to consider the following questions when undertaking a review: 


e What are the key success measures or performance indicators against 
which you plan to assess if our objectives have been met? 

e Where will you find the data to assess the success indicators, is it 
available as routine monitoring information or will you need to collect data 
yourself? 

e Does the data you need already exist? For example the ICO annual 
tracker measures a number of aspects of public opinion, and Ofcom 
measures online behaviour and attitudes. 

e Have you planned ahead to secure resources to undertake your 
evaluation? 

e Have you logged any lessons learnt from your evaluation, have you 
considered how you can share these with colleagues across ICO and, 
where appropriate, with our stakeholders? 


The HM Treasury Magenta Book provides detailed government guidance on good 
evaluation practice. 


Version 1.0 - 5 May 2021 
Page 37 


Other Considerations 


Making Regulatory Policy Quickly 

This guide describes a detailed, iterative process for policy-making. However, 
you may occasionally find yourself needing to arrive at a policy position at very 
short notice. This is not ideal, but can happen due to a crisis or other 
unexpected event arising. Should this happen, it is critical to make sure that you 
are still able to engage as many of your key stakeholders as possible. 


Policy Lab have produced the “Policy Lab in a Day” guide, and this offers a range 
of tools and techniques you can use to generate creative ideas in the shortest 
possible time. 


Fundamentally, regardless of the timeframe, you will always need to show that 
you have made recommendations based on the best available evidence. If time 
and evidence are limited, we should still be able to show the rationale for our 
eventual decision, and be able to understand its impact. 


Version 1.0 - 5 May 2021 
Page 38 


Annex A: Summary of Devolved and UK-wide Policy 


Note The table below is a general indication of devolved policy areas. 


Devolution law is complex. For specific advice, please contact the relevant 
office. 


Scottish Welsh NI 
Policy Area Parliament Assembly Assembly 
Agriculture Yes Yes Yes 
Arts & Culture Yes Yes Yes 
Borders & 
immigration No No No 
Business ‘Some Some Some 
Charities Yes No Yes 
Civil justice Yes No Yes 
Consumer protection Some Some Some 
Criminal justice Yes No Yes 
Data Protection No No No 
Debt Some No Some 
Defence No No No 
Education Yes Yes Yes 
Elections ‘Some Some — No 
Employment law No No Yes 
Energy utilities No No Yes 
Environment Yes Yes Yes 


Equalities ‘Some Some Yes 
Financial services No No Some 


Freedom of 

Information Yes No No 
Health Yes Yes Yes 
Housing Mes Yes Yes 
Income Tax Yes No No 
Local government Yes Yes Yes 
Regulated professions 

Social security No Yes 
Social Work Yes Yes Yes 
Sport Yes Yes Yes 
Tourism Yes Yes Yes 


Transport Some Some Yes 


Version 1.0 - 5 May 2021 
Page 39 


Annex B: Taxonomy of Harms 
it is important to note that the taxonomy: 


e Uses the risk management distinction between causes, events and consequences to focusses on harmful consequences 
e Is non-hierarchical and non-exhaustive, although we provide examples 
e Contains some closely related potentially overlapping categories of harm, and that some harms can lead to others. 

In addition, we note that the taxonomy focuses on harms as opposed to the benefits of avoiding harm. 


A taxonomy of data protection consequences 


Individual Financial harm Negligently, knowingly, or purposefully |e Fraud l 
paving the way for financial losses to e Impact on credit rating 
occur e Extortion 
is User Damages 
Bodily harm Negligently, knowingly, or purposefully |e Suicide or other self-harm 
| paving the way for physical injury to |e Assault 
| occur 
Costs of | The cost incurred in the avoidance or e Time spent avoiding harm/risk of 
avoiding/mitigating harm mitigation of harms or vulnerabilities harm 
| related to data privacy E Security costs 
Discrimination Harms arising from discrimination or i Entrenched bias in automated 
bias (either conscious or unconscious) decisions 
e Price discrimination 
Unwarranted intrusion Unwanted communications or intrusions |e Targeted advertising 
that disturb tranquillity, interrupt e Nuisance calls or spam 
| | Unwarranted surveillance 


Version 1.0 - 5 May 2021 
Page 40 


activities, sap time or increase the risk 
of other harms occurring 


Loss of confidentiality Loss of confidentiality with the potential |e Reversed pseudonymisation 
to lead to other harms or an increased |} Breach leading to fraud or spam 
risk of harm e Damage to personal or professional 
relationships 
Loss of control of personal | Harms from thwarted expectations, e Unwarranted surveillance 
data through misuse, repurposing, unwanted |° Failure to maintain quality of data 


retention or continued use and sharing |° Injury to peace of mind and ability 
of personal data, including a lack of to manage risk 


commitment to the accuracy of data e Restrictions on ability to access or 
review use of personal data 


e Incompatible repurposing leading to 
distress 


Lack of autonomy; Restriction, coercion, or manipulation of |e Unwarranted nudging 
manipulation and influence | people's choices or their ability to make |° Power and information asymmetry 
an informed choice 


Emotional distress Negligently, knowingly, or purposefully |e Detriment to mental health 
(embarrassment, anxiety, | paving the way for emotional distress to * Loss of sense or control of identity 
fear) occur e Distressed relationships 

e Loss of confidence 


Detriment from exposure |Detriment such as relationship e Relationship breakdown 

of personal data breakdown, reputational damage or e Reputational loss/loss of standing 
harassment/bullying brought on e Harassment/bullying 
through exposure of personal data e Stigmatisation 

Chilling effects Reduce use of services or activities due |e Reduced activities requiring good 
to an actual or perceived risk of credit rating 


potential harm 


Version 1.0 - 5 May 2021 
Page 41 


Societal 


Adverse effects on rights 
and freedoms 


Damage to law and justice 


Damage to media, 
information and public 
discourse 


Damage to public health 


Damage to the economy 


Damage to the 
environment 


Negative impacts on rights and 
freedoms in and of themselves 


Restrictions on or subversion of 


legislative intent, or legal or judicial 


process 


Negative impacts on media, information 
and public discourse at a societal level 


Harms resulting in adverse health 
outcomes for society 


Negative impacts on the economy that 
are significant at the local, regional, or 
national level, or for a specific sector 


Negative impacts on the environment 
either directly or indirectly resulting 
from misuse of data or mitigation of 


associated risk. 


Version 1.0 - 5 May 2021 
Page 42 


Fear of sharing data due to 
perceived risk 


Restrictions to data privacy rights 
Restrictions to freedom of assembly 
Chilling effects on freedom of 
expression 


Creating a route for widescale 
subversion of a law 

Chilling effects on victims or 
witnesses 


Mistrust in handling of electoral role 
influencing elections or voter 
turnout 

Widespread mistrust leading to 
chilling effects on freedom of 
expression 


Mistrust in handling of health data 
leading to chilling effects on health 
service use 


Loss of trust from widespread 
privacy abuses leading to chilling 
effects on major services 

Misuse of personal data leading to 
unfair competitive advantage 


High energy use associated with 
data mining, storage and sharing 
Loss of ecological diversity and/or 
green space due to land use for 
server farms 


